- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Trying to set colors for a pie chart based on text...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is my search query.
index=sdm host=sdm1
| fields Level
| stats values(Level), count by Level
| sort Level
| rename Level as Messages, count as Occurrences
| eval Messages1=Messages." : ".Occurrences
| table Messages1, Occurrences
Here are the XML chart options for the pie chart. I have tried multiple options; all failed.
Test 1
<option name="charting.fieldColors">{"SIGNIFICANT":0x39da2b,"ERROR":0xfdff00","SEVERE_ERROR":0xf70606,"EXIT":0xffffff}</option>
Test 2
<option name="charting.legend.labels">[SIGNIFICANT,ERROR,SEVERE_ERROR,EXIT]</option>
<option name="charting.seriesColors">[0x39da2b,0xfdff00,0xf70606,0xffffff]</option>
Test 3
<option name="charting.legend.labels">[ERROR,EXIT,SEVERE_ERROR,SIGNIFICANT]</option>
<option name="charting.seriesColors">[0xfdff00,0xffffff,0xf70606,0x39da2b]</option>
What is interesting and perplexing is that dependent upon the time selected in the Time Picker the colors displayed in the dashboard panel change. I don't have enough Karma to upload pics.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@genesiusj if you are creating labels for pie chart to include both name and count, then the label will not remain fixed and you would not be able to use charting.fieldColors. So
1) Either take out Occurences from label and then use charting.fieldColors
index=sdm host=sdm1
| fields Level
| stats count as Occurences by Level
| sort Level
| rename Level as Message
2) Or change the query to have all the labels show up in the pie chart in the same sequence, (i.e. null fields should be added to result with Occurence as 0 and sorting should be by field names and not by Occurence count)
Refer to some of my previous answers:
https://answers.splunk.com/answers/734408/how-to-assign-fixed-colors-to-pie-chart-with-dinam.html
https://answers.splunk.com/answers/700109/can-you-help-me-with-a-problem-im-having-with-my-p.html
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@genesiusj if you are creating labels for pie chart to include both name and count, then the label will not remain fixed and you would not be able to use charting.fieldColors. So
1) Either take out Occurences from label and then use charting.fieldColors
index=sdm host=sdm1
| fields Level
| stats count as Occurences by Level
| sort Level
| rename Level as Message
2) Or change the query to have all the labels show up in the pie chart in the same sequence, (i.e. null fields should be added to result with Occurence as 0 and sorting should be by field names and not by Occurence count)
Refer to some of my previous answers:
https://answers.splunk.com/answers/734408/how-to-assign-fixed-colors-to-pie-chart-with-dinam.html
https://answers.splunk.com/answers/700109/can-you-help-me-with-a-problem-im-having-with-my-p.html
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay
Thanks, that worked. Since I would like to keep the occurrences (count) for each Level, I went with the charting.seriesColors. I used the SPL code from your
https://answers.splunk.com/answers/700109/can-you-help-me-with-a-problem-im-having-with-my-p.html
link.
Your SPL is really complex (for a newbie like myself - only Fundamentals 1 thus far). And I am trying to understand it more. Would you be able to direct me to some resources that would explain this more clearly? "Teach a man to fish...."
Again, thank you for the code and the quick response.
God bless,
Genesius
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay
As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.
I am getting back to old forum posts to Accept answers from those who have directed me down the correct path.
Apologies for the delay.
BTW, I want to mark your answer as Accept, but the check is above my comment, not yours. If you repost your comment, I should be able to accept it...I hope.
Thanks and God bless,
Genesius
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@genesiusj I am glad the solution worked for you. Please go ahead and try to accept now as I see the comment is already converted as answer!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay
Done. Thanks again and God bless,
Genesius
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Continued from original post.
This option worked for another panel in this dashboard with a bar chart.
<option name="charting.fieldColors">{"SIGNIFICANT":0x39da2b,"ERROR":0xfdff00","SEVERE_ERROR":0xf70606,"EXIT":0xffffff}</option>
Using this query.
index=sdm host=sdm*
| eval Server = if(host="sdm1", "Prod", "Test")
| stats
count(eval(Level="SIGNIFICANT")) as SIGNIFICANT
count(eval(Level="ERROR")) as ERROR
count(eval(Level="SEVERE_ERROR")) as SEVERE_ERROR
count(eval(Level="EXIT")) as EXIT
by Server
Thanks and God bless,
Genesius
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
